I have figured out how to change the serial number of the VCM2 as well as enter test mode, and get a root shell on it.
You’ll need a microSD card for this to work.
1. Use IDS 86.
2. Recover your VCM2.
a. Describing how to recover is beyond the scope of this post. Search the forums for instructions.
b. After recovery your VCM2 should be at VCM2 FW version 2.1.1.5.
3. Wait about 90 seconds after the VCM2 beeps before proceeding. We are waiting for the SD card to be populated.
4. Unplug the VCM2 and eject the SD card.
5. Mount the SD card with a linux machine.
6. On the SD card open ‘apps/vci-diags/hwtest-scripts/self-test.sh’ for editing.
7. Add the following line to the file:
2. Recover your VCM2.
a. Describing how to recover is beyond the scope of this post. Search the forums for instructions.
b. After recovery your VCM2 should be at VCM2 FW version 2.1.1.5.
3. Wait about 90 seconds after the VCM2 beeps before proceeding. We are waiting for the SD card to be populated.
4. Unplug the VCM2 and eject the SD card.
5. Mount the SD card with a linux machine.
6. On the SD card open ‘apps/vci-diags/hwtest-scripts/self-test.sh’ for editing.
7. Add the following line to the file:
touch /etc/vci/config/testmode
8. Cleanly unmount the SD card and insert it back into the VCM2.
9. Plug the VCM2 unit into the computer and wait 90 seconds past beep before proceeding.
10. Launch IDS.
11. Go to system utilities
9. Plug the VCM2 unit into the computer and wait 90 seconds past beep before proceeding.
10. Launch IDS.
11. Go to system utilities
- Select ‘Launch Monitor Tool’ and confirm on the pop up.
13. Select ‘Run System Diagnostics’ > ‘Next’ > ‘Test a VCM II Module’ > ‘Next’
- Once the test completes unplug, wait a couple seconds, and then re-plug the VCM2 into the computer.
15. Wait about 15 seconds past when the VCM2 beeps and point your browser to http://192.168.171.2
You are now in the test mode web server.
a. To set a new serial number select ‘Set New Serial Number’ and proceed with serial number setting.
The default serial number is: 1211-31605352
b. To get a root shell Telnet to 192.168.171.2 you will be dropped to a root shell without providing login credentials.
c. To stay in testmode at next reboot select ‘Set Repair Test Mode’. This has to be done once per boot or you will have to go through this whole process to re-enable test mode.
a. To set a new serial number select ‘Set New Serial Number’ and proceed with serial number setting.
The default serial number is: 1211-31605352
b. To get a root shell Telnet to 192.168.171.2 you will be dropped to a root shell without providing login credentials.
c. To stay in testmode at next reboot select ‘Set Repair Test Mode’. This has to be done once per boot or you will have to go through this whole process to re-enable test mode.
Here Be Dragons:
To those who would go poking around, tread carefully. I accidentally ran cgi-bin/total-reflash and wiped my VCM2.
To those who would go poking around, tread carefully. I accidentally ran cgi-bin/total-reflash and wiped my VCM2.
My bootloader was still intacted and available on pins 24 & 25 of the HDL26-PL-B connector.
Posted by ColtB45
src: https://mhhauto.com/Thread-VCM2-Hacking
src: https://mhhauto.com/Thread-VCM2-Hacking
YOU ARE TRYING ON YOUR OWN RISK!
No comments:
Post a Comment